jdow wrote:
I was recently on the receiving end of an ssh attack (which had less
chance of success than a nitrocellulose cat in a traditional hell of
succeeding) from CIHost. And now I received a spate of low scoring DKIM
identified spams from emaildirect.com, which is hosted in CIHost's
address range.
O1.com NETBLK-O1-BLK4 (NET-65-98-128-0-1)
65.98.128.0 - 65.98.255.255
EmailDirect, Inc. NETBLK-65-98-146-0 (NET-65-98-146-0-1)
65.98.146.0 - 65.98.146.255
Were they legitimate at one time?
they seem to be at least semi-legitimate:
- they have a web site at www.emaildirect.com - offering services for
email marketing, customer relationship management, etc. (not a business
I particularly respect, but it's a real business - providing they follow
opt-in policies and such)
- I ran some of the addresses in their netblock against the major
anti-spam databases (gotta love dnsstuff.com) - and they're not listed
sort of suggests that the low-scoring spam is quasi-legitimate traffic
and that the ssh attack is from a hacker who's either into their machine
or forging their IP address somehow
